CVE-2021-42550 Vulnerable logback version 1.2.10 in SonarQube Community 9.9 LTS

sergimrz · December 27, 2024, 10:07am

Hello,

Similar to this previous issue there’s a new vulnerability on the logback-core, this time affecting the version 9.9 LTS:

CVE Website

The logack-core version used by the LTS release is the 1.2.10 and the one that resolves the vulnerability is the 1.5.13.

There’s any plan to resolve it on the LTS version or it’s also an assumable risk?

Thanks in advance,
Sergi.

Colin · December 27, 2024, 10:18am

Hey there,

I’ve unlisted your topic since you’re reporting a vulnerability. Our responsible disclosure policy asks that you email security@sonarsource.com rather than making public posts. Could you please re-send this to security@sonarsource.com?

Thanks!

Topic		Replies	Views
CVE-2021-42550 Vulnerable logback version 1.2.7 in SonarQube 8.9.6 SonarQube Server / Community Build sonarqube , security	6	1250	March 9, 2022
Is sonarqube 7.9.5 vulnerable to (CVE-2021-44228) log4j vulnerabilities SonarQube Server / Community Build sonarqube	20	4497	December 29, 2021
Is sonarqube 9.9 LTS is covered with CVE-2022-42889 vulnerability? SonarQube Server / Community Build sonarqube	1	540	June 8, 2023
SonarQube 8.9.4 LTS and 9.2.2 released Releases sonarqube	8	6190	December 15, 2021
Dependencies Vulnerabilities Sonarqube Community 9.9 SonarQube Server / Community Build sonarqube	1	308	February 16, 2024